cryptography: block ciphers - carnegie mellon university · cryptography: block ciphers edward j....
Post on 09-May-2018
234 Views
Preview:
TRANSCRIPT
Cryptography: Block Ciphers
Edward J. SchwartzCarnegie Mellon University
Credits:Slides originally designed by David Brumley. Many other slides are from Dan Boneh’s June 2012 Coursera crypto class.
What is a block cipher?Block ciphers are the crypto work horse
Canonical examples:1. 3DES: n = 64 bits, k = 168 bits2. AES: n = 128 bits, k = 128, 192, 256 bits
Block of plaintext
n bits
Key
k bits
Block of ciphertext
n bits
E, D
2
Block ciphers built by iteration
key expansion
key k1 key k2 key k3 key kn
key k
m R(k1, ∙) R(kn, ∙)R(k3, ∙)R(k2, ∙) c
R(k, m) is called a round functionEx: 3DES (n=48), AES128 (n=10)
m cm1 m2 m3
3
Performance: Stream vs. block ciphers
Crypto++ 5.6.0 [Wei Dai]
AMD Opteron, 2.2 GHz (Linux)
Cipher Block/key size Throughput [MB/s]
Stream
RC4 126
Salsa20/12 643
Sosemanuk 727
Blo
ck
3DES 64/168 13
AES128 128/128 109
4
History of DES
• 1970s: Horst Feistel designs Lucifer at IBMkey = 128 bits, block = 128 bits
• 1973: NBS asks for block cipher proposals.IBM submits variant of Lucifer.
• 1976: NBS adopts DES as federal standardkey = 56 bits, block = 64 bits
• 1997: DES broken by exhaustive search
• 2000: NIST adopts Rijndael as AES to replace DES. AES currently widely deployed in banking, commerce and Web
6
DES: core idea – Feistel networkGiven one-way functions
Goal: build invertible function
R1
L1
R2
L2
Rd
Ld
Rd-1
Ld-1
fd
⊕
n-b
its R0
n-b
its L0
f1
⊕
f2
⊕
• • •
input output
In symbols:
7
Feistel network - inverseClaim:
Feistel function F is invertible
Proof: construct inverse
Ri+1
Li+1
Ri
Li
fi+1
⊕
inverse Ri
Li
Ri+1
Li+1
fi+1
⊕
8
Ld-1
Rd-1
Ld-2
Rd-2
Decryption circuit
Rd
Ld
fd
⊕n-b
itsn
-bits
fd-1
⊕
• • •
R0
L0L1
R1
f1
⊕
• Inversion is basically the same circuit, with f1, …, fd applied in reverse order
• General method for building invertible functions (block ciphers) from arbitrary functions.
• Used in many block ciphers … but not AES9
Recall from Last Time:Block Ciphers are (Modeled As) PRPs
Pseudo Random Permutation (PRP) defined over (K,X)
such that:
1. Exists “efficient” deterministic algorithm to evaluate E(k,x)
2. The function E(k, ∙) is one-to-one
3. Exists “efficient” inversion algorithm D(k,y)
XX E(k,⋅), k ∊ K
D(k, ⋅), k ∊ K
10
is a secure PRF
⇒ 3-round Feistel
is a secure PRP
Luby-Rackoff Theorem (1985)
n-b
itsn
-bits
input
R0
L0
f
⊕
R1
L1
f
⊕
R3
L3
R2
L2
f
⊕
output
11
DES: 16 round Feistel network
key expansion
key k1
key k
• • •
64
bits
64
bits
IP-1IP
R1
L1
R2
L2
R16
L16
R15
L15
f16
R0
L0
f1
⊕
f2 • • •
⊕ ⊕
16 round Feistel network
56 bits
48 bits
key k2 key k16
To invert, use keys in reverse order12
The function F(ki, x)
x32 bits
E
x’48 bits
ki
48 bits
⊕48 bits
P
32 bitsy
6
4
S1
6
4
S2
6
4
S3
6
4
S4
6
4
S5
6
4
S6
6
4
S7
6
4
S8
32 bitsS-box: function {0,1}6 ⟶ {0,1}4, implemented as lookup table.
13
The S-boxes
• Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington. They came back and were all different.“
• 1990: (Re-)Discovery of differential cryptanalysis– DES S-boxes resistant to differential
cryptanalysis!
– Both IBM and NSA knew of attacks, but they were classified
15
Exhaustive Search for block cipher key
Goal: given a few input output pairs
(mi, ci = E(k, mi)) i=1,..,n find key k.
Attack: Brute force to find the key k.
Homework: What is the probability that the key kfound with one <m,c> pair is correct? For two pairs?
17
msg = “The unknown messages is:XXXXXXXX…“
CT =
Goal: find k ∈ {0,1}56 s.t. DES(k, mi) = ci for i=1,2,3
Proof: Reveal DES-1(k, c4)
⇒ 56-bit ciphers should not be used (128-bit key ⇒ 272 days)
c1
DES challenge
18
c2 c3 c4
1976 DES adopted as federal standard
1997 Distributed search 3 months
1998 EFF deep crack 3 days $250,000
1999 Distributed search 22 hours
2006 COPACOBANA (120 FPGAs) 7 days $10,000
Strengthening DES
Method 1: Triple-DES
Let E : K × M ⟶M be a block cipher
Define 3E: K3 × M ⟶M as:3E( (k1,k2,k3), m) = E(k1, D(k2, E(k3, m) ) )
3DES- Key-size: 3×56 = 168 bits- 3×slower than DES- Simple attack in time: ≈2118
k1 = k2 = k3 => DES
19
• Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) )
Why not 2DES?
key-len = 112 bits for 2DES
m E(k2,⋅) E(k1,⋅) c
Naïve Attack: M = (m1,…, m10), C = (c1,…,c10).For each k2∈{0,1}56:
For each k1∈{0,1}56:
if E(k2, E(k1, mi)) = ci then (k2, k1)
20
2112 checksc’’ = c?
m c'
…
…c’’
…
…
k2 k1
Meet in the middle attack
• Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) )
key-len = 112 bits for 2DES
Idea: key found when c’ = c’’: E(ki, m) = D(kj, c)
m c'
…
…c
…
…c’’
m E(k2,⋅) E(k1,⋅) c
21
Meet in the middle attack
• Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) )
Attack: M = (m1,…, m10) , C = (c1,…,c10).
• step 1: build table.
sort on 2nd column
maps c’ to k2
key-len = 112 bits for 2DES
k0 = 00…00k1 = 00…01k2 = 00…10
⋮kN = 11…11
E(k0 , M)E(k1 , M)E(k2 , M)
⋮E(kN , M)
256
entries
m E(k2,⋅) E(k1,⋅) c
22
Meet in the middle attack
M = (m1,…, m10) , C = (c1,…,c10)
• step 1: build table.
• Step 2: for each k∈{0,1}56:
test if D(k, c) is in 2nd column.
if so then E(ki,M) = D(k,C) ⇒ (ki,k) = (k2,k1)
k0 = 00…00k1 = 00…01k2 = 00…10
⋮kN = 11…11
E(k0 , M)E(k1 , M)E(k2 , M)
⋮E(kN , M)
m E(k2,⋅) E(k1,⋅) c
23
Meet in the middle attack
Time = 256log(256) + 256 log(256) < 263 << 2112
Space ≈ 256 [Table Size]
Same attack on 3DES: Time = 2118 , Space ≈ 256
m E(k2,⋅) E(k1,⋅) cE(k3,⋅)
[Build & Sort Table] [Search Entries]
m E(k2,⋅) E(k1,⋅) c
24
Method 2: DESX
E : K × {0,1}n ⟶ {0,1}n a block cipher
Define EX as
EX(k1, k2, k3, m) = k1 ⨁ E(k2, m⨁k3 )
For DESX: key-len = 64+56+64 = 184 bits
… but easy attack in time 264+56 = 2120
Note: k1⨁E(k2, m) and E(k2, m⨁k1) does nothing!25
Attacks on the implementation
1. Side channel attacks: – Measure time to do enc/dec, measure power for enc/dec
2. Fault attacks:
– Computing errors in the last round expose the secret key k
⇒ never implement crypto primitives yourself …
[Kocher, Jaffe, Jun, 1998]
smartcard
26
Card is doing DES
IP IP-1
16 rounds
The AES process
• 1997: DES broken by exhaustive search
• 1997: NIST publishes request for proposal
• 1998: 15 submissions
• 1999: NIST chooses 5 finalists
• 2000: NIST chooses Rijndael as AES (developed by Daemen and Rijmen at K.U. Leuven, Belgium)
Key sizes: 128, 192, 256 bits
Block size: 128 bits
28
AES core idea: Subs-Perm network
DES is based on Feistel networks
AES is based on the idea of
substitution-permutation networks
That is, alternating steps of substitution and
permutation operations
29
AES: Subs-Perm networkin
pu
t
⊕
k1
ou
tpu
t
⊕
k2
S1
S2
S3
S8
S1
S2
S3
S8
S1
S2
S3
S8
⊕
kn
• • •
subs.layer
perm.layer
inversion30
AES128 schematic
⊕input
4
4
k0 k1 k2 k9
⊕ ⊕ • • •(1) ByteSub(2) ShiftRow(3) MixColumn
(1) ByteSub(2) ShiftRow(3) MixColumn
⊕(1) ByteSub(2) ShiftRow
⊕
output
4
4k10
key
Key expansion: 16 bytes ⟶176 bytes
10 rounds
4
4
31
• ByteSub: a 1 byte S-box. 256 byte table (easily computable)
• ShiftRows:
• MixColumns:
The round function
s0,0 s0,1 s0,2 s0,3
s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3
s0,0 s0,1 s0,2 s0,3
s1,1 s1,2 s1,3 s1,0
s2,2 s2,3 s2,0 s2,1
s3,3 s3,0 s3,1 s3,2
s0,0 s0,1 s0,2 s0,3
s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3
s’0,0 s’0,1 s’0,2 s’0,3
s’1,0 s’1,1 s’1,2 s’1,3
s’2,0 s’2,1 s’2,2 s’2,3
s’3,0 s’3,1 s’3,2 s’3,3
s0,c
s1,c
s2,c
s3,c
s’0,c
s’1,c
s’2,c
s’3,c
MixColumns()
32
Code size/performance tradeoff
Code size Performance
Pre-compute round
functions(24KB or 4KB)
largestfastest: table
lookups and xors
Pre-compute S-box only
(256 bytes)smaller slower
No pre-computation
smallest slowest
33
Size + performance (Javascript AES)
AES in the browser
AES library (6.4KB)
No pre-computed tables
(1) Uncompress code (one time effort)
(2) Pre-compute tables (one time effort)
(3) Perform encryption using tables
Implementation: Stanford Javascript Crypto Libraryhttps://crypto.stanford.edu/sjcl/
34
Problem:
m1 = m2 ⟶ c1 = c2
37
m1 m2 m3 m4 m5 mnPT: • • •
c1 c2 c3 c4 c5 cnCT: • • •
Electronic Code Book (ECB) Mode
E(k, mi)
Semantic security for ECB mode
39
ECB is not semantically secure for messages that contain more than one block
Challenger
k ← K
Adversary Am0 = “Hello World”m1 = “Hello Hello”
Two blocks
(c1, c2) ← E(k,mb)
if c1 = c2 output 1else output 0
AdvSS[A,ECB] = 1
Deterministic counter mode
40
from a PRF F:EDETCTR(k,m) =
Stream cipher built from a PRF (e.g. AES, 3DES) Better than ECB but only works as long as the key is only used once (one-time-key)
m[0] m[1] m[L]• • •m[2]
F(k,0) F(k,1) F(k,L)• • •F(k,2)
⊕
c[0] c[1] c[L]• • •c[2]
Semantic security under CPA
42
Modes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key)
if cb = c0 output 0else output 1
m0, m0∊M
C0 ← E(k,m)m0, m1 ∊M
Cb ← E(k,mb)
Challenger
k ← K
Adversary A
Encryption modes must be randomized or use a nonce (or are vulnerable to CPA)
Semantic security under CPA
43
Modes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key)
Two solutions:
1. Randomized encryption
Encrypting the same msg twice gives different ciphertexts (w.h.p.)
Ciphertext must be longer than plaintext
2. Nonce-based encryption
Nonce-based encryption
44
Nonce n: a value that changes for each msg.
E(k,m,n) / D(k,c,n)
(k,n) pair never used more than once
m,nE
k
E(k,m,n) = cD
c,n
k
E(k,c,n) = m
Nonce-based encryption
45
Method 1: Nonce is a counter
Used when encryptor keeps state from msg to msg
If decryptor has same state, nonce need not be transmitted (i.e., len(PT) = len(CT))
Method 2: Sender chooses a random nonce
No state required but nonce has to be transmitted with CT
Cipher block chaining mode (CBC)
46
Let(E,D) be a PRP. ECBC(k,m): chose random IV ∊ X and do:
⊕ ⊕
c[0] c[1] c[2] c[3]IV
⊕ ⊕
E(k,∙) E(k,∙) E(k,∙)E(k,∙)
m[0] m[1] m[2] m[3]IV
ciphertextDecryption:
c[0] = E(k, IV⊕m[0]) ⟶m[0] = D(k,c[0]) ⊕ IV
Suppose given c ← ECBC(k,m) Adv. can predict IV for next msg.
Attack on CBC with Predictable IV
47
0∊ X
output 0 if c[1] = c1[1]
c1 ← [IV1, E(k,0⊕ IV1)]m0= IV⊕IV1, m1 ≠ m0∊M
c ← [IV, E(k,IV1)] orc ← [IV, E(k,m1⊕ IV)]
(IV ⊕ IV1)⊕IV
Challenger
k ← K
Adversary A
Bug in SSL/TLS 1.1: IV for record #i is last CT block of record #(i-1)
Nonce-based CBC
48
CBC with unique nonce: key = (k, k1) two independent keysunique nonce means: (key,n) pair is used for only one msg.
⊕ ⊕
c[0] c[1] c[2] c[3]nonce
⊕ ⊕
E(k,∙) E(k,∙) E(k,∙)E(k,∙)E(k1,∙)
m[0] m[1] m[2] m[3]nonce
ciphertext
IV
Included only if unknown to decryptor
CBC: padding
49
TLS: for n > 0 n byte pad is:
If no pad needed, add a dummy block:
⊕ ⊕
c[0] c[1] c[2] c[3]nonce
⊕ ⊕
E(k,∙) E(k,∙) E(k,∙)E(k,∙)E(k1,∙)
m[0] m[1] m[2] m[3] || padnonce
IV
n n … n
removed during
decryption
16 16 … 16
Padding oracle side channel attacks
Cipher block chaining mode (CBC)
50
Example applications:
1. File system encryption:
use the same AES key to encrypt all files (e.g., loopaes)
2. IPsec:
use the same AES key to encrypt multiple packets
Problem:
If attacker can predict IV, CBC is not CPA-secure
Summary
Block ciphers
– Map fixed length input blocks to same length output blocks
– Canonical block ciphers: 3DES, AES
– PRPs are effectively block ciphers
– PRPs can be created from arbitrary functions through Feistel networks
• 3DES based on Feistel networks
• AES based on substitution-permutation networks
51
Linear and differential attacks [BS’89,M’93]
Given many inp/out pairs, can recover key in time less than 256 .
Linear cryptanalysis (overview) : let c = DES(k, m)
Suppose for random k,m :Pr[ m[i1]⨁⋯⨁m[ir] ⨁ c[jj]⨁⋯⨁c[jv] = k[l1]⨁⋯⨁k[lu] ] = ½ + ε
For some ε. For DES, this exists withε = 1/221 ≈ 0.0000000477
54
Linear attacks
Pr[ m[i1]⨁⋯⨁m[ir] ⨁ c[jj]⨁⋯⨁c[jv] =
k[l1]⨁⋯⨁k[lu] ] = ½ + ε
Thm: given 1/ε2 random (m, c=DES(k, m)) pairs then
k[l1,…,lu] = MAJ [ m[i1,…,ir] ⨁ c[jj,…,jv] ]
with prob. ≥ 97.7%
⇒ with 1/ε2 inp/out pairs can find k[l1,…,lu] in time ≈1/ε2 .
55
Linear attacks
For DES, ε = 1/221 ⇒
with 242 inp/out pairs can find k[l1,…,lu] in time 242
Roughly speaking: can find 14 key “bits” this way in time 242
Brute force remaining 56−14=42 bits in time 242
Total attack time ≈243 ( << 256 ) with 242
random inp/out pairs 56
Lesson
A tiny bit of linearity in S5 lead to a 242 time attack.
⇒ don’t design ciphers yourself !!
57
Quantum attacks
Generic search problem:Let f: X ⟶ {0,1} be a function.Goal: find x∈X s.t. f(x)=1.
Classical computer: best generic algorithm time = O( |X| )
Quantum computer [Grover ’96] : time = O( |X|1/2 )
Can quantum computers be built: unknown
58
top related